Use permission sets where possible.
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
This commit is contained in:
parent
c2b2d22b35
commit
0f7c400223
@ -39,7 +39,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
|
||||
allow nx_server_t self:tcp_socket create_socket_perms;
|
||||
allow nx_server_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
term_create_pty(nx_server_t, nx_server_devpts_t)
|
||||
|
||||
manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
|
||||
@ -90,9 +90,9 @@ sysnet_read_config(nx_server_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# clients already have create permissions; the nxclient wants to also have unlink rights
|
||||
allow userdomain xdm_tmp_t:sock_file unlink;
|
||||
allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
|
||||
# for a lockfile created by the client process
|
||||
allow nx_server_t user_tmpfile:file getattr;
|
||||
allow nx_server_t user_tmpfile:file getattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
|
||||
#
|
||||
|
||||
allow oidentd_t self:capability { setuid setgid };
|
||||
allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
||||
allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
|
||||
allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
|
||||
allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
|
||||
allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||
allow oidentd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow oidentd_t self:udp_socket create_socket_perms;
|
||||
allow oidentd_t self:unix_dgram_socket { create connect };
|
||||
|
||||
allow oidentd_t oidentd_config_t:file read_file_perms;
|
||||
|
@ -24,10 +24,10 @@ files_pid_file(pads_var_run_t)
|
||||
#
|
||||
|
||||
allow pads_t self:capability { dac_override net_raw };
|
||||
allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
||||
allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
|
||||
allow pads_t self:udp_socket { create ioctl };
|
||||
allow pads_t self:unix_dgram_socket { write create connect };
|
||||
allow pads_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow pads_t self:packet_socket create_socket_perms;
|
||||
allow pads_t self:udp_socket create_socket_perms;
|
||||
allow pads_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow pads_t pads_config_t:file manage_file_perms;
|
||||
files_etc_filetrans(pads_t, pads_config_t, file)
|
||||
|
@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pegasus_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
|
||||
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
|
||||
allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
||||
@ -56,7 +56,7 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
|
||||
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
|
||||
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
|
||||
allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
|
||||
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
||||
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
||||
files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
|
||||
|
@ -27,7 +27,7 @@ files_type(pingd_modules_t)
|
||||
|
||||
allow pingd_t self:capability net_raw;
|
||||
allow pingd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow pingd_t self:rawip_socket { write read create bind };
|
||||
allow pingd_t self:rawip_socket create_socket_perms;
|
||||
|
||||
read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
|
||||
|
||||
|
@ -123,9 +123,9 @@ allow postfix_master_t postfix_data_t:file manage_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
|
||||
|
||||
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
|
||||
allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
|
||||
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
|
||||
allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
|
||||
|
||||
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
||||
@ -145,7 +145,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
||||
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
||||
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
||||
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
||||
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
||||
@ -240,7 +240,7 @@ allow postfix_bounce_t self:capability dac_read_search;
|
||||
allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
||||
|
||||
allow postfix_bounce_t postfix_public_t:sock_file write;
|
||||
allow postfix_bounce_t postfix_public_t:dir search;
|
||||
allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
|
||||
|
||||
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
||||
@ -559,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
|
||||
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
||||
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
corecmd_exec_bin(postfix_qmgr_t)
|
||||
|
||||
@ -579,7 +579,7 @@ postfix_list_spool(postfix_showq_t)
|
||||
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
# to write the mailq output, it really should not need read access!
|
||||
term_use_all_ptys(postfix_showq_t)
|
||||
|
@ -26,11 +26,11 @@ files_pid_file(postfix_policyd_var_run_t)
|
||||
allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
|
||||
allow postfix_policyd_t self:process setrlimit;
|
||||
allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postfix_policyd_t self:unix_dgram_socket { connect create write};
|
||||
allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
|
||||
allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
|
||||
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
|
||||
|
@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
|
||||
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
|
||||
|
||||
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
||||
allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
|
||||
can_exec(postgresql_t, postgresql_exec_t )
|
||||
|
||||
allow postgresql_t postgresql_lock_t:file manage_file_perms;
|
||||
|
@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
|
||||
|
||||
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
|
||||
|
||||
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
||||
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
||||
|
||||
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
||||
allow pppd_t pppd_etc_t:file read_file_perms;
|
||||
allow pppd_t pppd_etc_t:lnk_file { getattr read };
|
||||
allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
|
||||
# Automatically label newly created files under /etc/ppp with this type
|
||||
|
@ -209,8 +209,8 @@ prelude_manage_spool(prelude_correlator_t)
|
||||
#
|
||||
|
||||
allow prelude_lml_t self:capability dac_override;
|
||||
allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
|
||||
allow prelude_lml_t self:unix_dgram_socket { write create connect };
|
||||
allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
|
||||
allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
|
||||
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
|
||||
allow prelude_lml_t self:unix_stream_socket connectto;
|
||||
|
||||
|
@ -35,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
|
||||
can_exec(procmail_t, procmail_exec_t)
|
||||
|
||||
# Write log to /var/log/procmail.log or /var/log/procmail/.*
|
||||
allow procmail_t procmail_log_t:dir setattr;
|
||||
allow procmail_t procmail_log_t:dir setattr_dir_perms;
|
||||
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
||||
|
@ -176,8 +176,8 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
|
||||
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
|
||||
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
|
||||
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
|
||||
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
|
||||
allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
|
||||
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user